For more than two hours on Friday morning, much of the web seemed to grind to a halt—or at least slow to dial-up speed—for many users in the United States.
More than a dozen major websites experienced outages and other technical problems, according to user reports and the web-tracking site downdetector.com. They included The New York Times, Twitter, Pinterest, Reddit, GitHub, Etsy, Tumblr, Spotify, PayPal, Verizon, Comcast, EA, the Playstation network, and others.
How was it possible to take down all those sites at once?
Someone attacked the architecture that held them together—the domain-name system, or DNS, the technical network that redirects users from easy-to-remember addresses like theatlantic.com to a company’s actual web servers. The assault took the form of a distributed denial-of-service attack (DDoS) on one of the major companies that provides other companies access to DNS. A DDoS attack is one in which an attacker floods sites “with so much junk traffic that it can no longer serve legitimate visitors,” as the security researcher Brian Krebs put it in a blog post Friday morning.
Dyn, a leading DNS provider, confirmed that it experienced a global denial-of-service attack on its “Managed DNS” infrastructure, causing service interruptions across the internet for people on the East Coast. “We have been aggressively mitigating the DDoS attack against our infrastructure,” Scott Hilton, a vice president at Dyn said in a statement provided by a spokesman. The issues had been mostly resolved by 9:20 a.m. Eastern Time, just over two hours after they first reported problems, he said. (Amazon also experienced problems with its hosting services, CNBC reported, but the company has not confirmed them.)
If it seems like there have been more of these sorts of outages lately, it’s because there have. “Recently, some of the major companies that provide the basic infrastructure that makes the Internet work have seen an increase in DDoS attacks against them,” the security technologist Bruce Schneier wrote in a blog post in September. “Moreover, they have seen a certain profile of attacks. These attacks are significantly larger than the ones they're used to seeing. They last longer. They're more sophisticated. And they look like probing.”
“Probing” refers to a specially calibrated kind of attack, one that’s designed to take advantage of an individual website’s precise security weaknesses. “We don't know who is doing this, but it feels like a large nation state. China or Russia would be my first guesses,” Schneier wrote.
The stakes of such an attack—and the possibility of a state actor—seem especially high in the United States, given the extent of alleged outside tampering with the approaching presidential election.
In September, Krebs, the security researcher, also suffered a massive DDoS attack on his blog. It was so large, and so much bigger than historically comparable attacks, that internet-infrastructure company Akamai told him it could no longer host his blog pro bono, as it had for four years. (A spokesman for Akamai said none of its customers were affected by Friday’s attack.)
When his blog came back online, he attributed the assault to “super-empowered individuals who have been quietly building extremely potent cyber weapons with transnational reach.” He believes that someone harnessed a vast number of digitally connected “internet of things” devices—“mainly routers, IP cameras, and digital video recorders”—to make DDoS attacks of unprecedented size. Many of these devices have weak security in the first place, and some even have hard-coded and unchangeable passwords.
He compared a successful DDoS attack to a kind of censorship that the web can’t route around. “It's hard to imagine a stronger form of censorship than these DDoS attacks because if nobody wants to [host your website,] then that's pretty effective censorship,” he told Ars Technica.
In the wake of that hack, Schneier argued that the U.S. government must regulate the internet of things or face DDoS-ing botnets of dangerous size. Many attacks are carried out by malicious bots, which are responsible for a huge proportion of overall web traffic anyway.
“DDoS mitigation firms simply did not count on the size of these attacks increasing so quickly overnight,” Krebs wrote on Friday, “and are now scrambling to secure far greater capacity to handle much larger attacks concurrently.”
Even before the attack on Krebs’s site, Akamai reported the largest DDoS attack ever measured on its routed network earlier this year. “We also saw more web application and DDoS attacks than ever before, a trend that shows no sign of reversing,” Akamai wrote in a 2016 security report.
Repeat DDoS attacks are now “the norm,” Akamai says. Websites that sustained such attacks in the second quarter of the year experienced not one or two strikes, but an average of 27 such attacks. Akamai says it saw a 129 percent increase in DDoS attacks in the second quarter of 2016 compared with the same period in the year before.
These statistics are sobering. Friday morning’s attack essentially prevented American web users from Norfolk to New York, and from Cleveland to Connecticut, from reading the news, checking their bank accounts, or filing new code for their employer. News sites, local governments, and the presidential campaigns themselves should consider what could happen if an even larger attack were to transpire on election day.